Silver Peak SD-WAN Solution Guide

The following sections describe how you use Silver Peak EdgeConnect with Prisma Access to provide next-generation security on internet-bound traffic:
If you have any issues after you complete these tasks, Troubleshoot the Silver Peak Remote Network.

Supported Software Versions and Requirements

The Silver Peak-Prisma Access solution is qualified with the following Silver Peak software versions:
  • 8.1.9.0

Supported IKE and IPSec Cryptographic Profiles

You onboard your SD-WAN edge devices using a remote network connection between the edge device at the branch site, HQ, or hub to Prisma Access. Use Panorama to create a remote network connection and create IKE and IPSec crypto profiles; then, set up an IPSec tunnel between the SD-WAN edge device and Prisma Access, using the same crypto profiles you used in Panorama.
The following table documents the IKE/IPSec crypto settings that are supported with Prisma Access and Silver Peak SD-WAN. A check mark indicates that the profile or architecture type is supported; a dash (—) indicates that it is not supported. Default and Recommended settings are noted in the table.
Crypto Profiles
Prisma Access
Silver Peak EdgeConnect
Tunnel Type
IPSec Tunnel
check-mark.png
check-mark.png
GRE Tunnel
Routing
Static Routes
check-mark.png
check-mark.png
Dynamic Routing (BGP)
check-mark.png
Dynamic Routing (OSPF)
IKE Versions
IKE v1
check-mark.png
check-mark.png
IKE v2
check-mark.png
IPSec Phase 1 DH-Group
Group 1
check-mark.png
check-mark.png
Group 2
check-mark.png
(Default)
check-mark.png
Group 5
check-mark.png
check-mark.png
Group 14
check-mark.png
check-mark.png
(Recommended)
Group 19
check-mark.png
check-mark.png
Group 20
check-mark.png
(Recommended)
IPSec Phase 1 Auth
If you use IKEv2 with certificate-based authentication, only SHA1 is supported in IKE crypto profiles (Phase 1).
MD5
check-mark.png
SHA1
check-mark.png
(Default)
check-mark.png
(Recommended)
SHA256
check-mark.png
check-mark.png
SHA384
check-mark.png
check-mark.png
SHA512
check-mark.png
(Recommended)
check-mark.png
IPSec Phase 1 Encryption
DES
check-mark.png
3DES
check-mark.png
(Default)
AES-128-CBC
check-mark.png
(Default)
check-mark.png
AES-192-CBC
check-mark.png
AES-256-CBC
check-mark.png
(Recommended)
check-mark.png
(Recommended)
IPSec Phase 1 Key Lifetime Default
check-mark.png
(8 Hours)
check-mark.png
(8 Hours Recommended)
IPSec Phase 1 Peer Authentication
Pre-Shared Key
check-mark.png
Pre-Shared Key
Certificate
check-mark.png
IKE Peer Identification
FQDN
check-mark.png
check-mark.png
IP Address
check-mark.png
check-mark.png
User FQDN
check-mark.png
check-mark.png
IKE Peer
As Static Peer
check-mark.png
check-mark.png
As Dynamic Peer
check-mark.png
Options
NAT Traversal
check-mark.png
check-mark.png
Passive Mode
check-mark.png
Ability to Negotiate Tunnel
Per Subnet Pair
check-mark.png
Per Pair of Hosts
check-mark.png
Per Gateway Pair
check-mark.png
check-mark.png
IPSec Phase 2 DH-Group
Group 1
check-mark.png
check-mark.png
Group 2
check-mark.png
(Default)
check-mark.png
Group 5
check-mark.png
check-mark.png
Group 14
check-mark.png
check-mark.png
(Recommended)
Group 19
check-mark.png
check-mark.png
Group 20
check-mark.png
(Recommended)
No PFS
check-mark.png
check-mark.png
IPSec Phase 2 Auth
MD5
check-mark.png
SHA1
check-mark.png
(Default)
check-mark.png
SHA256
check-mark.png
check-mark.png
(Recommended)
SHA384
check-mark.png
check-mark.png
SHA512
check-mark.png
(Recommended)
check-mark.png
None
check-mark.png
IPSec Phase 2 Encryption
DES
check-mark.png
3DES
check-mark.png
(Default)
AES-128-CBC
check-mark.png
(Default)
check-mark.png
AES-192-CBC
check-mark.png
AES-256-CBC
check-mark.png
check-mark.png
(Recommended)
AES-128-CCM
check-mark.png
AES-128-GCM
check-mark.png
AES-256-GCM
check-mark.png
(Recommended)
NULL
check-mark.png
check-mark.png
IPSec Protocol
ESP
check-mark.png
check-mark.png
AH
check-mark.png
IPSec Phase 2 Key Lifetime Default
check-mark.png
(1 Hour)
check-mark.png
(Recommended 1 Hour
Lifebytes also supported
Tunnel Monitoring Fallback
Dead Peer Detection (DPD)
check-mark.png
check-mark.png
ICMP
check-mark.png
(HTTP GET also supported)
Bidirectional Forwarding Detection (BFD)
SD-WAN Architecture Type
With Regional Hub/Gateway/Data Center
N/A
check-mark.png
No Regional Hub/Gateway/Data Center
NA
check-mark.png

SD-WAN Deployment Architectures Supported by Silver Peak

Silver Peak supports the following deployment architectures for use with Prisma Access. A — indicates that the deployment is not supported.
Use Case
Architecture
Supported?
Securing traffic from each branch site with 1 WAN link (Type 1)
Use an IPSec tunnel from each branch to Prisma Access. Use a Silver Peak EdgeConnect device at the branch.
sd-wan-prisma-access-small-after.png
Yes
Securing branch and HQ sites with active/backup SD-WAN connections
sd-wan-prisma-access-small-after-ha-active-backup.png
Yes
Securing branch and HQ sites with active/active SD-WAN connections
sd-wan-prisma-access-small-after-ha-active-active.png
Yes
Securing branch and HQ sites with SD-WAN edge devices in HA mode
sd-wan-prisma-access-small-after-ha-mode.png
Yes
Securing SD-WAN deployments with Regional Hub/POP architecture (Type 2)
sd-wan-prisma-access-big-after.png
Yes

Recommended For You